verifying unpacked signed add-ons

Kris Maglione kmaglione at mozilla.com
Fri Nov 3 22:48:09 UTC 2017


On Fri, Nov 03, 2017 at 03:25:39PM -0700, David Keeler wrote:
>[firefox-dev, dev-addons, and the enterprise mailing list cc'd - please
>direct follow-up discussion to dev-platform]
>
>Hello All,
>
>As you're no doubt aware, from 57 onwards, only signed WebExtensions
>will be available as add-ons for the general release population. My
>understanding is these are all packaged as "xpi" files (zip files,
>really, but what's important is that they're bundled up as a single file
>rather than a directory). Add-on developers can develop their add-ons by
>temporarily loading them as unsigned packages or unsigned unbundled
>directories (again, if my understanding is correct).
>
>This leaves the question of what use we have for verifying unbundled
>add-ons. Is there ever a case where we want to verify an unbundled yet
>signed add-on? For example, do we ever do this with system add-ons? (And
>if we do, I've been told this would be bad for performance, so perhaps
>we should disallow this?)

WebExtensions are never meant to be installed unpacked except during 
development. It's currently possible for some side-load methods to 
install them unpacked in production, but that's not supported. System 
add-ons are never installed unpacked in production builds.

So I'm fine with removing signature verification for unpacked add-ons as 
long as we make sure we never enable them when signatures are required.


More information about the firefox-dev mailing list